By Dave Michmerhuizen, Security Researcher
Just yesterday, Barracuda Labs intercepted thousands of copies of a spammed phishing attack aimed at customers of the popular online video rental service Netflix. While phishing attacks are nothing new, especially against financial institutions, this attack is particularly well done.
Below we present the details of the attack, showing how the unsuspecting Netflix member might fall victim, as well as what to look for to avoid it.
Taking a deeper look, the recipient will noitice that the email was not sent to anyone by name. Also, mousing over the link shows that it does not go to Netflix.com. Instead, it goes to a deceptively similar domain, netflixus.com. This could be easily confused by the recipient since it is so similar, and also could be perceived as a geographical notation (US). Netflixus.com was registered on the same day that the phishing attack began, September 13. Clicking on the “update” link sends the user to a login page that looks like what one would expect from Netflix
One exception is the domain in the address bar: still netflixus.com. Additionally, the protocol used is not HTTPS, which reputable sites always use when asking for login names and passwords or for credit card information. All of the other links on this page and on the following pages point to netflix.com, so if the user mouses over this form it is extremely deceptive. The ‘Continue’ button takes the user to another part of the phishing site. As part of this experiment, we signed in with a fake username and password.
Once signed in, there is a landslide of warnings. The first is that the user is immediately asked for credit card information. This page is very well designed, right down to an image of the back of a credit card to help identify the security code. Netflixus.com still displays in the address bar, and although credit card information is being requested, the HTTPS protocol is not being used.
We responded with a dummy credit card number as indicated below. Once that happens the site obligingly sends the user’s browser to the real netflix.com home page:
This final step is one last step to make the user feel comfortable with the just completed transaction.
This attack serves as a great reminder to always pay attention online. Regardless of how “real” an email or site looks, users should be especially wary of those requesting the user to click on links to enter credit card information, passwords and so forth. There are several tell-all signs to check legitimacy, many of which we have outlined above.
Customers using the Barracuda Spam & Virus Firewall, Barracuda Web Filter, and/or the Barracuda Web Filtering Service are protected from this attack.